VPC sharing allows multiple accounts to create their application resources, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB for RDS instances, in shared and centrally-managed Alibaba Cloud Virtual Private Clouds (VPCs). Shared VPCs are based on the Resource Sharing (RS) mechanism. A VPC owner can share VSwitches with accounts in the same Alibaba Cloud enterprise account organization as the owner.
The owner of the VPC (resource owner) shares the non-default VSwitches with other accounts (participants). The owner and participants must belong to the same resource directory. Resource directory is a hierarchical resource relation management service. Enterprises can use this service to create a hierarchical map of relations among resources. For more information, see Overview.
Resource owner permissions and participant permissions
After a resource owner shares a VSwitch with a participant, the resource owner and the participant have the following permissions on the shared VSwitch and the resources in the shared VSwitch:
|User group||Operations supported||Operations not supported|
||Modify or delete resources created by participants in a shared VSwitch.|
|Participant||Create, modify, or delete cloud resources, such as ECS, SLB, and ApsaraDB for RDS instances, in a shared VSwitch.||View, modify, or delete the resources created by other accounts in a shared VSwitch.|
|When a VSwitch is in the unshared state, participants can continue using the resources created in the VSwitch. Participants can only modify or delete resources that have already been created in the VSwitch.||When a VSwitch is in the unshared state, participants cannot view resources that are related to the shared VSwitch, such as VPC networks, routing tables, CIDR blocks, and network ACLs. Participants cannot create resources in an unshared VSwitch.|
|Network resource||Resource owner operations||Participant operations|
|VPC||All operations.||View the VPC network of the VSwitches shared with the participant.|
Note If a participant wants to delete a VSwitch, make sure that the VSwitch is in the unshared state, and the resources associated with it are all deleted, including the resources created by the participant and resource owner.
|Route tables||All operations.||View routing tables and route entries that are bound to the VSwitch shared with the participant.|
|Network ACL||All operations.||View network ACLs that are bound to the VSwitch shared with the participant.|
|CIDR block||View VPC networks and CIDR blocks of all VSwitches.||View CIDR blocks of VSwitches shared with the participant.|
|Network Address Translation (NAT) Gateway||All operations.
|VPN Gateway||All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through a VPN gateway.
|Associate with the CEN instance||All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through CEN.
|VPC peer-to-peer connection||All operations.
Note The resources created by the resource owner and the resources created by participants can access the external network through a VPC peer-to-peer connection.
|Tag||Resource sharing does not affect the tags bound to the resources of the resource owner. After a VSwitch is shared, both the participants and resource owner can configure tags. The tags configured by participants and tags configured by the resource owner are not visible to each other, and they do not affect each other. When a VSwitch is in the unshared state, the system deletes the tags configured by the participants on the shared VSwitch.|
In a shared VPC, participants only pay for the resources that they have created, such as ECS instances, SLB instances, and ApsaraDB for RDS instances. Fees charged for gateway resources, such as NAT gateways, VPN gateways, and Internet bandwidth, are paid by the resource owner.
|Item||Limit||Quota increase supported|
|The number of participants supported by a VPC||20||Not adjustable.|
|The number of participants supported by a VSwitch in a VPC||20||Not adjustable.|
|The number of VSwitches that can be shared with a participant||10||Not adjustable.|
|The number of IP addresses that a VPC can use||Shared by the resource owner and participants.||Not adjustable.|
|Types of VSwitches that can be shared with||Non-default VSwitches.||Not adjustable.|
|Regions that support VPC sharing||
|Cloud resources that can be created in a shared VSwitch||
|Limits on security groups in a shared VPC||
Enable VPC sharing
For more information, see Enable VPC sharing.